Adobe confirms zero-day exploit bypasses Adobe Reader sandbox
The attacks are highly sophisticated and likely part of an important cyberespionage operation, a Kaspersky Lab researcher says
IDG News Service - A recently found exploit that bypasses the sandbox anti-exploitation protection in Adobe Reader 10 and 11 is highly sophisticated and is probably part of an important cyberespionage operation, the head of the malware analysis team at antivirus vendor Kaspersky Lab said.
The exploit was discovered Tuesday by researchers from security firm FireEye, who said that it was being used in active attacks. Adobe confirmed that the exploit works against the latest versions of Adobe Reader and Acrobat, including 10 and 11, which have a sandbox protection mechanism.
"Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message," the company said in a security advisory published Wednesday.
Adobe is working on a patch, but in the meantime users of Adobe Reader 11 are advised to enable the Protected View mode by choosing the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu.
The exploit and the malware it installs are super high-level, according to Costin Raiu, director of Kaspersky Lab's malware research and analysis team. "It's not something you see every day," he said Thursday.
Judging by the sophistication of the attacks, Raiu concluded that they must be part of an operation of "huge importance" that "would be on the same level with Duqu."
Duqu is a piece of cyberespionage malware discovered in October 2011 that's related to Stuxnet, the highly sophisticated computer worm credited with damaging uranium enrichment centrifuges at Iran's nuclear plant in Natanz. Both Duqu and Stuxnet are believed to have been created by a nation state.
The latest exploit comes in the form of a PDF document and attacks two separate vulnerabilities in Adobe Reader. One is used to gain arbitrary code execution privileges and one is used to escape from the Adobe Reader 10 and 11 sandbox, Raiu said.
The exploit works on Windows 7, including the 64-bit version of the operating system, and it bypasses the Windows ASLR (address space layout randomization) and DEP (Data Execution Prevention) anti-exploitation mechanisms.
When executed, the exploit opens a decoy PDF document that contains a travel visa application form, Raiu said. The name of this document is "Visaform Turkey.pdf."
The exploit also drops and executes a malware downloader component that connects to a remote server and downloads two additional components. These two components steal passwords and information about the system configuration, and can log keystrokes, he said.
The communication between the malware and the command-and-control server is compressed with zlib and then encrypted with AES (Advanced Encryption Standard) using RSA public-key cryptography.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Networking White Papers | Webcasts